XWIKI-24125: The spaces property for the TemplateProviderClass should not list non-accessible page references

xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/TemplateProviderClass.xml

@@ -84,7 +84,7 @@
       <separators>,</separators>
       <size>1</size>
       <sort>none</sort>
-      <sql>select distinct doc.web from XWikiDocument doc</sql>
+      <sql>select distinct doc.fullName as permissionCheck, doc.web from XWikiDocument doc where doc.name = 'WebHome' order by doc.web</sql>
       <unmodifiable>0</unmodifiable>
       <validationMessage/>
       <validationRegExp/>
@@ -149,7 +149,7 @@
       <classname/>
       <customDisplay/>
       <disabled>0</disabled>
-      <displayType>checkbox</displayType>
+      <displayType>input</displayType>
       <idField/>
       <multiSelect>1</multiSelect>
       <name>spaces</name>
@@ -159,9 +159,9 @@
       <relationalStorage>0</relationalStorage>
       <separator>,</separator>
       <separators>,</separators>
-      <size>10</size>
+      <size>30</size>
       <sort>none</sort>
-      <sql>select distinct doc.web from XWikiDocument doc order by doc.web</sql>
+      <sql>select distinct doc.fullName as permissionCheck, doc.web from XWikiDocument doc where doc.name = 'WebHome' order by doc.web</sql>
       <unmodifiable>0</unmodifiable>
       <validationMessage/>
       <validationRegExp/>
@@ -224,7 +224,7 @@
       <separators>,</separators>
       <size>1</size>
       <sort>none</sort>
-      <sql>select distinct doc.web from XWikiDocument doc order by doc.web</sql>
+      <sql>select distinct doc.fullName as permissionCheck, doc.web from XWikiDocument doc where doc.name = 'WebHome' order by doc.web</sql>
       <unmodifiable>0</unmodifiable>
       <validationMessage/>
       <validationRegExp/>

xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/internal/objects/classes/ExplicitlyAllowedValuesDBListQueryBuilder.java

@@ -36,6 +36,7 @@
 import org.xwiki.query.Query;
 import org.xwiki.query.QueryBuilder;
 import org.xwiki.query.QueryException;
+import org.xwiki.query.QueryFilter;
 import org.xwiki.query.QueryManager;
 import org.xwiki.security.authorization.AuthorExecutor;
 import org.xwiki.security.authorization.DocumentAuthorizationManager;
@@ -75,6 +76,10 @@ public class ExplicitlyAllowedValuesDBListQueryBuilder implements QueryBuilder<D
     @Named("secure")
     private QueryManager secureQueryManager;
 
+    @Inject
+    @Named("viewableAllowedDBListPropertyValue")
+    private QueryFilter viewableValueFilter;
+
     @Override
     public Query build(DBListClass dbListClass) throws QueryException
     {
@@ -98,6 +103,15 @@ public Query build(DBListClass dbListClass) throws QueryException
 
         Query query = this.secureQueryManager.createQuery(statement, Query.HQL);
         query.setWiki(documentReference.getWikiReference().getName());
+        // The custom HQL query should pass "doc.fullName as permissionCheck" as the first select row, whenever it
+        // needs that the current user has "view" rights on the returned documents. This is used to filter out
+        // inaccessible documents and not propose them. Note that the "doc.fullName as permissionCheck" column
+        // results will be filtered out by the QueryFilter and if you need to return doc.fullName results, you
+        // should select 2 columns, as in:
+        //   select doc.fullName as permissionCheck, doc.fullName, ...
+        if (dbListClass.getSql() != null && dbListClass.getSql().contains("doc.fullName as permissionCheck")) {
+            query.addFilter(this.viewableValueFilter);
+        }
         return query;
     }
 

xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/internal/objects/classes/ExplicitlyAllowedValuesDBListQueryBuilderTest.java

@@ -32,6 +32,7 @@
 import org.xwiki.model.EntityType;
 import org.xwiki.model.reference.DocumentReference;
 import org.xwiki.query.Query;
+import org.xwiki.query.QueryFilter;
 import org.xwiki.query.QueryManager;
 import org.xwiki.security.authorization.AuthorExecutor;
 import org.xwiki.security.authorization.DocumentAuthorizationManager;
@@ -50,6 +51,7 @@
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
@@ -84,6 +86,10 @@ public class ExplicitlyAllowedValuesDBListQueryBuilderTest
     @MockComponent
     private VelocityManager velocityManager;
 
+    @MockComponent
+    @Named("viewableAllowedDBListPropertyValue")
+    private QueryFilter viewableValueFilter;
+
     @Mock
     private VelocityEngine velocityEngine;
 
@@ -136,6 +142,9 @@ public String answer(InvocationOnMock invocation) throws Throwable
         when(this.secureQueryManager.createQuery(evaluatedStatement, Query.HQL)).thenReturn(query);
 
         assertSame(query, this.builder.build(this.dbListClass));
+
+        // SQL does not contain "doc.fullName", so the viewable value filter should not be applied.
+        verify(query, never()).addFilter(this.viewableValueFilter);
     }
 
     @Test
@@ -147,5 +156,24 @@ public void buildWithoutScriptRight() throws Exception
         assertSame(query, this.builder.build(this.dbListClass));
 
         verify(query).setWiki("math");
+        // SQL does not contain "doc.fullName", so the viewable value filter should not be applied.
+        verify(query, never()).addFilter(this.viewableValueFilter);
+    }
+
+    @Test
+    public void buildWithDocFullNameAppliesViewableFilter() throws Exception
+    {
+        String sqlWithFullName = "select distinct doc.fullName as permissionCheck, doc.web from XWikiDocument doc "
+            + "where doc.name = 'WebHome' order by doc.web";
+        this.dbListClass.setSql(sqlWithFullName);
+
+        Query query = mock(Query.class);
+        when(this.secureQueryManager.createQuery(sqlWithFullName, Query.HQL)).thenReturn(query);
+
+        assertSame(query, this.builder.build(this.dbListClass));
+
+        verify(query).setWiki("math");
+        // SQL contains "doc.fullName as permissionCheck", so the viewable value filter must be applied.
+        verify(query).addFilter(this.viewableValueFilter);
     }
 }